PT-2020-14174 · Typo3 · Extbase+2

Oliver Hader

Published

2020-07-29

Updated

2021-11-18

CVE-2020-15086

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions TYPO3 "mediace" extension versions 7.6.2 through 7.6.4

Description A flaw in the internal verification mechanism of the "mediace" extension allows attackers to generate arbitrary checksums, enabling them to inject arbitrary data with a valid cryptographic message authentication code. This can lead to remote code execution. An attacker must have access to at least one Extbase plugin or module action in a TYPO3 installation to exploit this issue.

Recommendations For TYPO3 "mediace" extension versions 7.6.2 through 7.6.4, update to version 7.6.5 to resolve the issue.

Exploit

Fix

Deserialization of Untrusted Data

Information Disclosure

RCE

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-502CWE-200CWE-325CWE-20

Related Identifiers

CVE-2020-15086

GHSA-4H44-W6FM-548G

Affected Products

Extbase

Typo3

Mediace

PT-2020-14174 · Typo3 · Extbase+2

CVE-2020-15086

Weakness Enumeration

Related Identifiers

Affected Products

References · 9